feat: enhance app installation verification and attestation status

- Improve app attestation handling by introducing `VerificationResult` to distinguish between verified, unverified, and error states.
- Update `DetailsViewModel` and `SmartInstallButton` to display a "Could not verify" warning when attestation checks fail.
- Refactor `saveInstalledAppToDatabase` to accept pre-validated `ApkPackageInfo`, reducing redundant file parsing.
- Update `InstalledAppsRepository` to handle `isPendingInstall` status directly within the version update flow.
- Ensure the signing key warning state is cleared before proceeding with a manual override.
- Enhance `VersionHelper.normalizeVersion` to specifically strip the `refs/tags/` prefix.
- Add new localized string resource for unable to verify attestation status.

Author: rainxchzed

core/data/src/commonMain/kotlin/zed/rainxch/core/data/repository/InstalledAppsRepositoryImpl.kt

@@ -186,6 +186,7 @@ class InstalledAppsRepositoryImpl(
         newVersionName: String,
         newVersionCode: Long,
         signingFingerprint: String?,
+        isPendingInstall: Boolean,
     ) {
         val app = installedAppsDao.getAppByPackage(packageName) ?: return
 
@@ -220,6 +221,7 @@ class InstalledAppsRepositoryImpl(
                 latestVersionName = newVersionName,
                 latestVersionCode = newVersionCode,
                 isUpdateAvailable = false,
+                isPendingInstall = isPendingInstall,
                 lastUpdatedAt = System.currentTimeMillis(),
                 lastCheckedAt = System.currentTimeMillis(),
                 signingFingerprint = signingFingerprint,

core/domain/src/commonMain/kotlin/zed/rainxch/core/domain/repository/InstalledAppsRepository.kt

@@ -34,6 +34,7 @@ interface InstalledAppsRepository {
         newVersionName: String,
         newVersionCode: Long,
         signingFingerprint: String?,
+        isPendingInstall: Boolean = true,
     )
 
     suspend fun updateApp(app: InstalledApp)

core/presentation/src/commonMain/composeResources/values/strings.xml

@@ -210,6 +210,7 @@
     <string name="install_anyway">Install anyway</string>
     <string name="verified_build">Verified build</string>
     <string name="checking_attestation">Checking\u2026</string>
+    <string name="unable_to_verify_attestation">Could not verify</string>
     <string name="install_version">Install %1$s</string>
     <string name="failed_to_open_app">Failed to open %1$s</string>
     <string name="failed_to_uninstall">Failed to uninstall %1$s</string>

feature/details/data/src/commonMain/kotlin/zed/rainxch/details/data/system/AttestationVerifierImpl.kt

@@ -3,6 +3,7 @@ package zed.rainxch.details.data.system
 import zed.rainxch.core.domain.logging.GitHubStoreLogger
 import zed.rainxch.details.domain.repository.DetailsRepository
 import zed.rainxch.details.domain.system.AttestationVerifier
+import zed.rainxch.details.domain.system.VerificationResult
 import java.io.File
 import java.io.FileInputStream
 import java.security.MessageDigest
@@ -15,13 +16,14 @@ class AttestationVerifierImpl(
         owner: String,
         repoName: String,
         filePath: String,
-    ): Boolean =
+    ): VerificationResult =
         try {
             val digest = computeSha256(filePath)
-            detailsRepository.checkAttestations(owner, repoName, digest)
+            val hasAttestation = detailsRepository.checkAttestations(owner, repoName, digest)
+            if (hasAttestation) VerificationResult.Verified else VerificationResult.Unverified
         } catch (e: Exception) {
             logger.debug("Attestation check error: ${e.message}")
-            false
+            VerificationResult.Error(e.message ?: "Unknown error")
         }
 
     private fun computeSha256(filePath: String): String {

feature/details/data/src/commonMain/kotlin/zed/rainxch/details/data/system/InstallationManagerImpl.kt

@@ -120,16 +120,15 @@ class InstallationManagerImpl(
         }
 
     override suspend fun updateInstalledAppVersion(params: UpdateInstalledAppParams) {
-        val packageName = params.apkInfo.packageName
         installedAppsRepository.updateAppVersion(
-            packageName = packageName,
+            packageName = params.apkInfo.packageName,
             newTag = params.releaseTag,
             newAssetName = params.assetName,
             newAssetUrl = params.assetUrl,
             newVersionName = params.apkInfo.versionName,
             newVersionCode = params.apkInfo.versionCode,
             signingFingerprint = params.apkInfo.signingFingerprint,
+            isPendingInstall = params.isPendingInstall,
         )
-        installedAppsRepository.updatePendingStatus(packageName, params.isPendingInstall)
     }
 }

feature/details/domain/src/commonMain/kotlin/zed/rainxch/details/domain/system/AttestationVerifier.kt

@@ -9,11 +9,21 @@ interface AttestationVerifier {
      * Computes the SHA-256 digest of [filePath] and checks whether
      * the repository [owner]/[repoName] has a matching attestation.
      *
-     * @return `true` if a valid attestation exists, `false` otherwise.
+     * @return [VerificationResult.Verified] if a valid attestation exists,
+     *         [VerificationResult.Unverified] if no matching attestation was found,
+     *         [VerificationResult.Error] if the check could not be completed.
      */
     suspend fun verify(
         owner: String,
         repoName: String,
         filePath: String,
-    ): Boolean
+    ): VerificationResult
+}
+
+sealed interface VerificationResult {
+    data object Verified : VerificationResult
+
+    data object Unverified : VerificationResult
+
+    data class Error(val reason: String) : VerificationResult
 }

feature/details/domain/src/commonMain/kotlin/zed/rainxch/details/domain/util/VersionHelper.kt

@@ -8,9 +8,10 @@ import zed.rainxch.core.domain.model.GithubRelease
 object VersionHelper {
     fun normalizeVersion(version: String?): String =
         version
+            ?.trim()
+            ?.removePrefix("refs/tags/")
             ?.removePrefix("v")
             ?.removePrefix("V")
-            ?.trim()
             .orEmpty()
 
     /**

feature/details/presentation/src/commonMain/kotlin/zed/rainxch/details/presentation/DetailsViewModel.kt

@@ -22,6 +22,7 @@ import kotlinx.datetime.format.char
 import kotlinx.datetime.toLocalDateTime
 import org.jetbrains.compose.resources.getString
 import zed.rainxch.core.domain.logging.GitHubStoreLogger
+import zed.rainxch.core.domain.model.ApkPackageInfo
 import zed.rainxch.core.domain.model.FavoriteRepo
 import zed.rainxch.core.domain.model.GithubAsset
 import zed.rainxch.core.domain.model.GithubRelease
@@ -39,14 +40,15 @@ import zed.rainxch.core.domain.system.PackageMonitor
 import zed.rainxch.core.domain.use_cases.SyncInstalledAppsUseCase
 import zed.rainxch.core.domain.utils.BrowserHelper
 import zed.rainxch.core.domain.utils.ShareManager
-import zed.rainxch.details.domain.model.ReleaseCategory
-import zed.rainxch.details.domain.repository.DetailsRepository
-import zed.rainxch.details.domain.repository.TranslationRepository
 import zed.rainxch.details.domain.model.ApkValidationResult
 import zed.rainxch.details.domain.model.FingerprintCheckResult
+import zed.rainxch.details.domain.model.ReleaseCategory
 import zed.rainxch.details.domain.model.SaveInstalledAppParams
 import zed.rainxch.details.domain.model.UpdateInstalledAppParams
+import zed.rainxch.details.domain.repository.DetailsRepository
+import zed.rainxch.details.domain.repository.TranslationRepository
 import zed.rainxch.details.domain.system.AttestationVerifier
+import zed.rainxch.details.domain.system.VerificationResult
 import zed.rainxch.details.domain.system.InstallationManager
 import zed.rainxch.details.domain.util.VersionHelper
 import zed.rainxch.details.presentation.model.AttestationStatus
@@ -859,6 +861,7 @@ class DetailsViewModel(
 
     private fun overrideSigningKeyWarning() {
         val warning = _state.value.signingKeyWarning ?: return
+        _state.update { it.copy(signingKeyWarning = null) }
         dismissDowngradeWarning()
         viewModelScope.launch {
             try {
@@ -867,12 +870,12 @@ class DetailsViewModel(
 
                 if (platform == Platform.ANDROID) {
                     saveInstalledAppToDatabase(
+                        apkInfo = warning.pendingApkInfo,
                         assetName = warning.pendingAssetName,
                         assetUrl = warning.pendingDownloadUrl,
                         assetSize = warning.pendingSizeBytes,
                         releaseTag = warning.pendingReleaseTag,
                         isUpdate = warning.pendingIsUpdate,
-                        filePath = warning.pendingFilePath,
                         installOutcome = installOutcome,
                     )
                 }
@@ -966,6 +969,7 @@ class DetailsViewModel(
 
         val ext = assetName.substringAfterLast('.', "").lowercase()
         val isApk = ext == "apk"
+        var validatedApkInfo: ApkPackageInfo? = null
 
         if (isApk) {
             val validationResult =
@@ -1020,6 +1024,7 @@ class DetailsViewModel(
                 }
 
                 is ApkValidationResult.Valid -> {
+                    validatedApkInfo = validationResult.apkInfo
                     val fpResult =
                         installationManager.checkSigningFingerprint(validationResult.apkInfo)
                     if (fpResult is FingerprintCheckResult.Mismatch) {
@@ -1036,6 +1041,7 @@ class DetailsViewModel(
                                         pendingReleaseTag = releaseTag,
                                         pendingIsUpdate = isUpdate,
                                         pendingFilePath = filePath,
+                                        pendingApkInfo = validationResult.apkInfo,
                                     ),
                             )
                         }
@@ -1056,17 +1062,17 @@ class DetailsViewModel(
         // Launch attestation check asynchronously (non-blocking)
         launchAttestationCheck(filePath)
 
-        if (platform == Platform.ANDROID) {
+        if (platform == Platform.ANDROID && validatedApkInfo != null) {
             saveInstalledAppToDatabase(
+                apkInfo = validatedApkInfo,
                 assetName = assetName,
                 assetUrl = downloadUrl,
                 assetSize = sizeBytes,
                 releaseTag = releaseTag,
                 isUpdate = isUpdate,
-                filePath = filePath,
                 installOutcome = installOutcome,
             )
-        } else {
+        } else if (platform != Platform.ANDROID) {
             viewModelScope.launch {
                 _events.send(DetailsEvent.OnMessage(getString(Res.string.installer_saved_downloads)))
             }
@@ -1095,11 +1101,14 @@ class DetailsViewModel(
         _state.update { it.copy(attestationStatus = AttestationStatus.CHECKING) }
 
         viewModelScope.launch {
-            val verified = attestationVerifier.verify(owner, repoName, filePath)
+            val result = attestationVerifier.verify(owner, repoName, filePath)
             _state.update {
                 it.copy(
-                    attestationStatus =
-                        if (verified) AttestationStatus.VERIFIED else AttestationStatus.UNVERIFIED,
+                    attestationStatus = when (result) {
+                        is VerificationResult.Verified -> AttestationStatus.VERIFIED
+                        is VerificationResult.Unverified -> AttestationStatus.UNVERIFIED
+                        is VerificationResult.Error -> AttestationStatus.UNABLE_TO_VERIFY
+                    },
                 )
             }
         }
@@ -1209,22 +1218,15 @@ class DetailsViewModel(
     }
 
     private suspend fun saveInstalledAppToDatabase(
+        apkInfo: ApkPackageInfo,
         assetName: String,
         assetUrl: String,
         assetSize: Long,
         releaseTag: String,
         isUpdate: Boolean,
-        filePath: String,
-        installOutcome: InstallOutcome = InstallOutcome.DELEGATED_TO_SYSTEM,
+        installOutcome: InstallOutcome,
     ) {
         val repo = _state.value.repository ?: return
-        if (platform != Platform.ANDROID || !assetName.lowercase().endsWith(".apk")) return
-
-        val apkInfo = installer.getApkInfoExtractor().extractPackageInfo(filePath)
-        if (apkInfo == null) {
-            logger.error("Failed to extract APK info for $assetName")
-            return
-        }
 
         if (isUpdate) {
             installationManager.updateInstalledAppVersion(

feature/details/presentation/src/commonMain/kotlin/zed/rainxch/details/presentation/components/SmartInstallButton.kt

@@ -25,6 +25,7 @@ import androidx.compose.material.icons.filled.Delete
 import androidx.compose.material.icons.filled.KeyboardArrowDown
 import androidx.compose.material.icons.filled.Update
 import androidx.compose.material.icons.filled.VerifiedUser
+import androidx.compose.material.icons.outlined.Warning
 import androidx.compose.material3.CardDefaults
 import androidx.compose.material3.CircularProgressIndicator
 import androidx.compose.material3.ElevatedCard
@@ -65,6 +66,7 @@ import zed.rainxch.githubstore.core.presentation.res.installing
 import zed.rainxch.githubstore.core.presentation.res.not_available
 import zed.rainxch.githubstore.core.presentation.res.open_app
 import zed.rainxch.githubstore.core.presentation.res.show_install_options
+import zed.rainxch.githubstore.core.presentation.res.unable_to_verify_attestation
 import zed.rainxch.githubstore.core.presentation.res.uninstall
 import zed.rainxch.githubstore.core.presentation.res.update_to_version
 import zed.rainxch.githubstore.core.presentation.res.updating
@@ -569,7 +571,10 @@ fun SmartInstallButton(
 @Composable
 private fun AttestationBadge(attestationStatus: AttestationStatus) {
     AnimatedVisibility(
-        visible = attestationStatus == AttestationStatus.VERIFIED || attestationStatus == AttestationStatus.CHECKING,
+        visible =
+            attestationStatus == AttestationStatus.VERIFIED ||
+                attestationStatus == AttestationStatus.CHECKING ||
+                attestationStatus == AttestationStatus.UNABLE_TO_VERIFY,
         enter = fadeIn(),
         exit = fadeOut(),
     ) {
@@ -609,6 +614,21 @@ private fun AttestationBadge(attestationStatus: AttestationStatus) {
                     )
                 }
 
+                AttestationStatus.UNABLE_TO_VERIFY -> {
+                    Icon(
+                        imageVector = Icons.Outlined.Warning,
+                        contentDescription = null,
+                        modifier = Modifier.size(14.dp),
+                        tint = MaterialTheme.colorScheme.onSurfaceVariant,
+                    )
+                    Spacer(modifier = Modifier.width(4.dp))
+                    Text(
+                        text = stringResource(Res.string.unable_to_verify_attestation),
+                        style = MaterialTheme.typography.labelSmall,
+                        color = MaterialTheme.colorScheme.onSurfaceVariant,
+                    )
+                }
+
                 else -> {}
             }
         }

feature/details/presentation/src/commonMain/kotlin/zed/rainxch/details/presentation/model/AttestationStatus.kt

@@ -5,4 +5,5 @@ enum class AttestationStatus {
     CHECKING,
     VERIFIED,
     UNVERIFIED,
+    UNABLE_TO_VERIFY,
 }